Differential effects of prior experience on the malware resolution process

MIS Quarterly: Management Information Systems

Volumn 38, Issue 3, 2014, Pages 655-678

  Kim, Seung Hyun ^a,b   Kim, Byung Cho ^c  

^a Department of Innovation and Entrepreneurial Marketing   (South Korea)

^b NATIONAL UNIVERSITY OF SINGAPORE   (Singapore)

^c Korea University   (South Korea)

Author keywords

Antivirus software; Catastrophe; Economics of information systems; Information security; Information sharing; Knowledge retention; Learning curve; Malware; Targeted attack

Indexed keywords

COMPUTER CRIME; DIGITAL STORAGE; DISASTERS; INFORMATION ANALYSIS; INFORMATION DISSEMINATION; SECURITY OF DATA;

ANTIVIRUS SOFTWARES; CATASTROPHE; ECONOMICS OF INFORMATION; INFORMATION SHARING; KNOWLEDGE RETENTION; LEARNING CURVES; TARGETED ATTACK;

MALWARE;

EID: 84944902500     PISSN: 02767783     EISSN: 21629730     Source Type: Journal    
DOI: 10.25300/MISQ/2014/38.3.02     Document Type: Article

References (100)

1. Aiken, L. S., and West, G. W. 1991. Multiple Regression: Testing and Interpreting Interactions, Thousand Oaks, CA: SAGE Publications, Inc.
2. Akaike, H. 1974. "A New Look at the Statistical Model Identification", IEEE Transactions on Automatic Control (19), pp. 716-723.
3. Argote, L., Beckman, S. L., and Epple, D. 1990. "The Persistence and Transfer of Learning in Industrial Settings", Management Science (36:2), pp. 140-154.
4. Argote, L., and Epple, D. 1990. "Learning Curves in Manufacturing", Science (247:4945), pp. 920-924.
5. Argote, L., and Ophir, R. 2005. "Intraorganizational Learning", in The Blackwell Companion to Organizations, J. Baum (ed.), Oxford, UK: Wiley-Wiley, pp. 181-207.
6. Arora, A., Caulkins, J. P., and Telang, R. 2006. "Sell First, Fix Later: Impact of Patching on Software Quality", Management Science (52:3), pp. 465-471.
7. Arora, A., Krishnan, R., Telang, R., and Yang, Y. B. 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure", Information Systems Research (21:1), pp. 115-132.
8. Arora, A., Telang, R., and Xu, H. 2008. "Optimal Policy for Software Vulnerability Disclosure", Management Science (54:4), pp. 642-656.
9. ASC. 2007. "Best Practices: Guidelines to Consider in the Evaluation of Potentially Unwanted Technologies", Anti-Spyware Coalition (http://www.antispywarecoalition.org/documents/documents/best-practices-final-working-report.pdf)
10. Ashworth, M., Mukhopadhyay, T., and Argote, L. 2004. "Information Technology and Organizational Learning: An Empirical Analysis", in Proceedings of the 25th International Conference on Information Systems, Washington, DC, December 12-15, pp. 481-492.
11. August, T., and Tunca, T. I. 2006. "Network Software Security and User Incentives", Management Science (52:11), pp. 1703-1720.
12. August, T., and Tunca, T. I. 2008. "Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions", Information Systems Research (19:1), pp. 48-70.
13. August, T., and Tunca, T. I. 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments", Management Science (57:5), pp. 934-959.
14. Bania, P. 2010. "Fighting Epo Viruses", Symantec Connect, (http://www.symantec.com/connect/articles/fighting-epoviruses).
15. Banker, R. D., Davis, G. B., and Slaughter, S. A. 1998. "Software Development Practices, Software Complexity, and Software Maintenance Performance: A Field Study", Management Science (44:4), pp. 433-450.
16. Baron, R. M., and Kenny, D. A. 1986. "The Moderator Mediator Variable Distinction in Social Psychological-Research: Conceptual, Strategic, and Statistical Considerations", Journal of Personality and Social Psychology (51:6), pp. 1173-1182.
17. Baum, J. A. C., and Dahlin, K. B. 2007. "Aspiration Performance and Railroads' Patterns of Learning from Train Wrecks and Crashes", Organization Science (18:3), pp. 368-385.
18. BBC. 2009. "Governments Hit by Cyber Attack", BBC News, July 8 (http://news.bbc.co.uk/2/hi/technology/8139821.stm).
19. Benkard, C. L. 2000. "Learning and Forgetting: The Dynamics of Aircraft Production", American Economic Review (90:4), pp. 1034-1054.
20. Boh, W. F., Slaughter, S. A., and Espinosa, J. A. 2007. "Learning from Experience in Software Development: A Multilevel Analysis", Management Science (53:8), pp. 1315-1331.
21. Bryan-Low, C. 2004. "Virus for Hire: Growing Number of Hackers Attack Web Sites for Cash", Wall Street Journal, Business Section, November 30, (http://online.wsj.com/article/SB110176932097886077.html).
22. Cavusoglu, H., Mishra, B., and Raghunathan, S. 2004. "The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers", International Journal of Electronic Commerce (9:1), pp. 69-104.
23. Cavusoglu, H., Mishra, B., and Raghunathan, S. 2005. "The Value of Intrusion Detection Systems in Information Technology Security Architecture", Information Systems Research (16:1), pp. 28-46.
24. Cavusoglu, H., and Raghunathan, S. 2007. "Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge", IEEE Transactions on Software Engineering (33:3), pp. 171-185.
25. Cavusoglu, H., and Zhang, J. 2008. "Security Patch Management: Share the Burden or Share the Damage?", Management Science (54:4), pp. 657-670.
26. Clark, J. R., and Huckman, R. S. 2012. "Broadening Focus: Spillovers, Complementarities, and Specialization in the Hospital Industry", Management Science (58:4), pp. 708-722.
27. Cyveillance. 2010. "Cyveillance Testing Finds AVVendors Detect on Average Less Than 19% of Malware Attacks " (https://www.cyveillance.com/web/blog/press-release/cyveillan ce-testing-finds-av-vendors-detect-on-average-less-than-19-ofmalware-attacks).
28. Darr, E. D., Argote, L., and Epple, D. 1995. "The Acquisition, Transfer, and Depreciation of Knowledge in Service Organizations: Productivity in Franchises", Management Science (41:11), pp. 1750-1762.
29. Desai, C. 2007. "The Evolution of Antivirus Software", Network World (24:42), p. 30.
30. Dutton, J. M., and Thomas, A. 1984. "Treating Progress Functions as a Managerial Opportunity", Academy of Management Review (9:2), pp. 235-247.
31. Ellis, H. 1965. The Transfer of Learning, New York: Macmillan Company.
32. Evans, S. H. 1967. "A Brief Statement of Schema Theory", Psychonomic Science (8), pp. 87-88.
33. Faraj, S., and Sproull, L. 2000. "Coordinating Expertise in Software Development Teams", Management Science (46:12), pp. 1554-1568.
34. Gal-Or, E., and Ghose, A. 2005. "The Economic Incentives for Sharing Security Information", Information Systems Research (16:2), pp. 186-208.
35. Gaynor, M., Seider, H., and Vogt, W. B. 2005. "The Volume-Outcome Effect, Scale Economies, and Learning-by-Doing", American Economic Review (95:2), pp. 243-247.
36. Hatch, N. W., and Mowery, D. C. 1998. "Process Innovation and Learning by Doing in Semiconductor Manufacturing", Management Science (44:11), pp. 1461-1477.
37. Herley, C. 2010. "The Plight of the Targeted Attacker in a World of Scale", in Proceedings of the 9th Workshop on the Economics of Information Security, Boston, June 7-8.
38. Higgins, K. J. 2011. "Targeted Attacks 10 Times More Profitable Than Mass Campaigns", Dark Reading (http://www.darkreading.com/mobile/targeted-attacks-10-times-more-profitabl/231000836).
39. James, K. 2011. "The Organizational Science of Disaster/Terrorism Prevention and Response: Theory-Building toward the Future of the Field", Journal of Organizational Behavior (32:7), pp. 1013-1032.
40. Kannan, K., and Telang, R. 2005. "Market for Software Vulnerabilities? Think Again", Management Science (51:5), pp. 726-740.
41. Kaspersky, E. 2005. "Challenges We Face in Today's Cyber World", presentation at the 8th Association of the Anti Virus Asia Researchers Conference, Tianjin, China (http://www.antiviruschina.org.cn/forum/avar-2005/program-detail/010.htm).
42. KC, D. S., and Staats, B. R. 2012. "Accumulating a Portfolio of Experience: The Effect of Focal and Related Experience on Surgeon Performance", Manufacturing & Service Operations Management (14:4), pp. 618-633.
43. Kim, B. C., Chen, P. Y., and Mukhopadhyay, T. 2009. "An Economic Analysis of the Software Market with a Risk-Sharing Mechanism", International Journal of Electronic Commerce (14:2), pp. 7-39.
44. Kim, B. C., Chen, P. Y., and Mukhopadhyay, T. 2011. "The Effect of Liability and Patch Release on Software Security: The Monopoly Case", Production and Operations Management (20:4), pp. 603-617.
45. Kim, S. H., Wang, Q. H., and Ullrich, J. B. 2012. "A Comparative Study of Cyberattacks", Communications of the ACM (55:3), pp. 66-73.
46. Kim, J. Y., and Miner, A. S. 2009. "Organizational Learning from Extreme Performance Experience: The Impact of Success and Recovery Experience", Organization Science (20:6), pp. 958-978.
47. Kwak, D.-H., Kizzier, D. M., Zo, H., and Jung, E. S. 2011. "Understanding Security Knowledge and National Culture: A Comparative Investigation between Korea and the U. S.", Asia Pacific Journal of Information Systems (21:3), pp. 51-69.
48. Lampel, J., Shamsie, J., and Shapira, Z. 2009. "Experiencing the Improbable: Rare Events and Organizational Learning", Organization Science (20:5), pp. 835-845.
49. Levitt, B., and March, J. G. 1988. "Organizational Learning", Annual Review of Sociology (14), pp. 319-340.
50. Li, P., and Rao, H. R. 2007. "An Examination of Private Intermediaries' Roles in Software Vulnerabilities Disclosure", Information Systems Frontiers (9:5), pp. 531-539.
51. Loewenstein, J., Thompson, L., and Gentner, D. 1999. "Analogical Encoding Facilitates Knowledge Transfer in Negotiation", Psychonomic Bulletin & Review (6:4), pp. 586-597.
52. Madsen, P. M. 2009. "These Lives Will Not Be Lost in Vain: Organizational Learning from Disaster in U. S. Coal Mining", Organization Science (20:5), pp. 861-875.
53. Madsen, P. M., and Desai, V. 2010. "Failing to Learn? The Effects of Failure and Success on Organizational Learning in the Global Orbital Launch Vehicle Industry", Academy of Management Journal (53:3), pp. 451-476.
54. Mahmood, M. A., Siponen, M., Straub, D., Rao, H. R., and Raghu, T. S. 2010. "Moving toward Black Hat Research in Information Systems Security: An Editorial Introduction to the Special Issue", MIS Quarterly (34:3), pp. 431-433.
55. March, J. G. 1991. "Exploration and Exploitation in Organizational Learning", Organization Science (2:1), pp. 71-87.
56. March, J. G., and Simon, H. A. 1958. Organizations, New York: John Wiley and Sons.
57. Markoff, J. 2009a. "Defying Experts, Rogue Computer Code Still Lurks", The New York Times, Technology Section, August 26 (http://www.nytimes.com/2009/08/27/technology/27compute.html).
58. Markoff, J. 2009b. "Malicious Software Is Revised", The New York Times, Technology Section, April 9 (http://www.nytimes.com/2009/04/10/technology/10virus.html).
59. Marshall, E. 1989. "Early Data: Losing Our Memory?", Science (244:4910), p. 1250.
60. Mills, E. 2009. "Conficker Wakes Up, Updates Via P2P, Drops Payload", CNET, April 8 (http://news.cnet.com/8301-1009-3-10215678-83.html).
61. NBC News. 2009. "South Korean Web Sites under Renewed Attack", NBCNEWS.com, July 8 (http://www.nbcnews.com/id/31825511/ns/technology-and-science-security/t/south-koreanweb-sites-under-renewed-attack/).
62. Mukhopadhyay, T., Singh, P. V., and Kim, S. H. 2011. "Learning Curves of Agents with Diverse Skills in Information Technology-Enabled Physician Referral Systems", Information Systems Research (22:3), pp. 586-605.
63. Munro, J. 2002. "Antivirus Research and Detection Techniques", Extreme Tech, July 1 (http://www.extremetech.com/computing/51498-antivirus-research-and-detection-techniques).
64. Narayanan, S., Balasubramanian, S., and Swaminathan, J. M. 2009. "A Matter of Balance: Specialization, Task Variety, and Individual Learning in a Software Maintenance Environment", Management Science (55:11), pp. 1861-1876
65. Nash, T. 2005. "An Undirected Attack against Critical Infrastructure: A Case Study for Improving Your Control System Security" US-CERT Control Systems Security Center Case Study Series: Vol. 1.2 (http://ics-cert.us-cert.gov/sites/default/files/documents/CaseStudy-002.pdf).
66. Neild, B. 2009. "Downadup Virus Exposes Millions of PCs to Hijack", CNN.com/Technology, January 16 (http://edition. cnn.com/2009/TECH/ptech/01/16/virus.downadup/?iref= mpstoryview).
67. Nizovtsev, D., and Thursby, M. 2007. "To Disclose or Not? An Analysis of Software User Behavior", Information Economics and Policy (19:1), pp. 43-64.
68. Pisano, G. P., Bohmer, R. M. J., and Edmondson, A. C. 2001. "Organizational Differences in Rates of Learning: Evidence from the Adoption of Minimally Invasive Cardiac Surgery", Management Science (47:6), pp. 752-768.
69. Png, I. P. L., Wang, C. Y., and Wang, Q. H. 2008. "The Deterrent and Displacement Effects of Information Security Enforcement: International Evidence", Journal of Management Information Systems (25:2), pp. 125-144.
70. Purewal, S. J. 2011. "Top 10 Tech Scares of the Decade", PCWorld (http://www.pcworld.com/article/214403/top-10-tech-scares-of-the-decade.html).
71. Rajilch, V. 2006. "Changing the Paradigm of Software Engineering", Communications of the ACM (49:8), pp. 67-70.
72. Ransbotham, S., and Mitra, S. 2009. "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise", Information Systems Research (20:1), pp. 121-139.
73. Ransbotham, S., Mitra, S., and Ramsey, J. 2012. "Are Markets for Vulnerabilities Effective?", MIS Quarterly (36:1), pp. 43-64.
74. Richardson, R. 2008. "2008 CSI Computer Crime & Security Survey", San Francisco: Computer Security Institute.
75. Schilling, M. A., Vidal, P., Ployhart, R. E., and Marangoni, A. 2003. "Learning by Doing Something Else: Variation, Relatedness, and the Learning Curve", Management Science (49:1), pp. 39-56.
76. Schmidt, R. A. 1975. "A Schema Theory of Discrete Motor Skill Learning", Psychological Review (82:4), pp. 225-260.
77. SCMagazine. 2011. "Advanced Malware and Targeted Attacks Evade Traditional Defences and Leave Enterprises Vulnerable to Attack", SC Magazine, August 31 (http://www.scmagazineuk.com/advanced-malware-and-targeted-attacks-evade-traditionaldefences-and-leave-enterprises-vulnerable-to-attack/article/210924/).
78. Shanmuga. 2009. "Is Your PC Part of a Zombie Botnet? Check Now!", MalwareHelp. Org (http://www.malwarehelp.org/is-your-pc-part-of-a-zombie-botnet-check-now-2009.html).
79. Shim, W. H. 2012. "An Analysis of Information Security Management Strategies in the Presence of Interdependent Security Risk", Asia Pacific Journal of Information Systems (22:1), pp. 79-101.
80. Silberston, A. 1972. "Economies of Scale in Theory and Practice", The Economic Journal (82:325), pp. 369-391.
81. Smith, A. 1776. The Wealth of Nations, Chicago: University of Chicago Press.
82. Straub, D. W., and Welke, R. J. 1998. "Coping with Systems Risk: Security Planning Models for Management Decision Making", MIS Quarterly (22:4), pp. 441-469.
83. Szor, P. 2005. The Art of Computer Virus Research and Defense, Upper Saddle River, NJ: Addison-Wesley Professional.
84. ® Labs (2:1), pp. 3-5.
85. Telang, R., and Wattal, S. 2007. "An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price", IEEE Transactions on Software Engineering (33:8), pp. 544-557.
86. Temizkan, O., Kumar. R. L., Park, S., and Subramanian, C. 2012. "Patch Release Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical Analysis", Journal of Management Information Systems (28:4), pp. 305-338.
87. Thornton, R. A., and Thompson, P. 2001. "Learning from Experience and Learning from Others: An Exploration of Learning and Spillovers in Wartime Shipbuilding", American Economic Review (91:5), pp. 1350-1368.
88. Turvey, B. 2011. Criminal Profiling: An Introduction to Behavioral Evidence Analysis (4th ed.), New York: Academic Press.
89. Varian, H. 2002. "System Reliability and Free Riding", in Proceedings of the First Workshop on Economics and Information Security, University of California, Berkeley, May 16-17.
90. Venkatarman, S. 1997. "The Distinctive Domain of Entrepreneurship Research: An Editor's Perspective", in Advances in Entrepreneurship, Firm Emergence, and Growth (Volume 3), J. Katz and R. Brockhaus (eds.), Greenwich, CT: JAI Press, pp. 119-138.
91. Vijayan, J. 2006. "Antivirus Vendors Collaborate on Spyware Fight", PCWorld, January 31 (http://www.pcworld.com/article/124564/article.html).
92. Villeneuve, N., and Walton, G. 2009. "Targeted Malware Attack on Foreign Correspondents Based in China", Infowar Monitor, September 28 (http://www.infowar-monitor.net/2009/09/targetedmalware-attack-on-foreign-correspondents-based-in-china).
93. Von Hippel, E. 1998. "Economics of Product Development by Users: The Impact of "Sticky" Local Information", Management Science (44:5), pp. 629-644.
94. Wang, Q. H., and Kim, S. H. 2009. "Cyberattacks: Does Physical Boundary Matter?", in Proceedings of the 30th International Conference on Information Systems, Phoenix, AZ, December 15-18.
95. Wiersma, E. 2007. "Conditions That Shape the Learning Curve: Factors That Increase the Ability and Opportunity to Learn", Management Science (53:12), pp. 1903-1915.
96. Williams, M., Roberts, P., and Evers, J. 2003. "Spread of Slammer Worm Slows", PCWorld, January 27 (http://www.pcworld.com/article/108996/article.html).
97. Wood, P. 2010. "Targeted Attacks Now Using Bredolab Malware", Symantec Connect, February 17 (http://www.symantec.com/connect/blogs/targeted-attacks-now-using-bredolab-malware).
98. Woolley, A. W. 2011. "Responses to Adversarial Situations and Collective Intelligence", Journal of Organizational Behavior (32:7), pp. 978-983.
99. Wright, T. P. 1936. "Factors Affecting the Cost of Airplanes", Journal of Aeronautical Sciences (3:4), pp. 122-128.
100. Yeo, V. 2008. "Can Foreign Antivirus Match Asian Threats?", ZDNet, October 30 (http://www.zdnet.com/can-foreign-antivirusmatch-asian-threats-2062047787/).